Add support to throw OOM if MarkedArgumentBuffer may overflow.
https://bugs.webkit.org/show_bug.cgi?id=179092
<rdar://problem/35116160>
Reviewed by Saam Barati.
Source/JavaScriptCore:
The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
time, which renders it unsuitable for automated tests. Instead, I've run a
test manually to verify that an OutOfMemoryError will be thrown when an overflow
occurs.
The MarkedArgumentBuffer's destructor will now assert that the client has indeed
checked for an overflow after invoking methods that may result in an overflow i.e.
the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
This is only done on debug builds.
(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeRegExp):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):
- dfg/DFGOperations.cpp:
- inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::createInjectedScript):
- inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::scopeChain const):
- interpreter/Interpreter.cpp:
(JSC::Interpreter::executeProgram):
(functionDollarAgentReceiveBroadcast):
(JSC::MarkedArgumentBuffer::slowEnsureCapacity):
(JSC::MarkedArgumentBuffer::expandCapacity):
(JSC::MarkedArgumentBuffer::slowAppend):
(JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
(JSC::MarkedArgumentBuffer::appendWithAction):
(JSC::MarkedArgumentBuffer::append):
(JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
(JSC::MarkedArgumentBuffer::hasOverflowed):
(JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
(JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
- runtime/ArrayPrototype.cpp:
- runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
- runtime/GetterSetter.cpp:
(JSC::callSetter):
- runtime/IteratorOperations.cpp:
(JSC::iteratorNext):
(JSC::iteratorClose):
- runtime/JSBoundFunction.cpp:
(JSC::boundThisNoArgsFunctionCall):
(JSC::boundFunctionCall):
(JSC::boundThisNoArgsFunctionConstruct):
(JSC::boundFunctionConstruct):
- runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewFromIterator):
- runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewProtoFuncSlice):
(JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
- runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::haveABadTime):
- runtime/JSInternalPromise.cpp:
(JSC::JSInternalPromise::then):
(JSC::JSJobMicrotask::run):
- runtime/JSMapIterator.cpp:
(JSC::JSMapIterator::createPair):
- runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::provideFetch):
(JSC::JSModuleLoader::loadAndEvaluateModule):
(JSC::JSModuleLoader::loadModule):
(JSC::JSModuleLoader::linkAndEvaluateModule):
(JSC::JSModuleLoader::requestImportModule):
(JSC::Stringifier::toJSONImpl):
(JSC::Stringifier::appendStringifiedValue):
(JSC::Walker::callReviver):
(JSC::ordinarySetSlow):
(JSC::callToPrimitiveFunction):
(JSC::JSObject::hasInstance):
(JSC::JSPromise::initialize):
(JSC::JSPromise::resolve):
- runtime/JSPromiseDeferred.cpp:
(JSC::newPromiseCapability):
(JSC::callFunction):
- runtime/JSSetIterator.cpp:
(JSC::JSSetIterator::createPair):
- runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
- runtime/MapConstructor.cpp:
(JSC::constructMap):
- runtime/ObjectConstructor.cpp:
(JSC::defineProperties):
(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::performProxyCall):
(JSC::performProxyConstruct):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::performPreventExtensions):
(JSC::ProxyObject::performIsExtensible):
(JSC::ProxyObject::performDefineOwnProperty):
(JSC::ProxyObject::performGetOwnPropertyNames):
(JSC::ProxyObject::performSetPrototype):
(JSC::ProxyObject::performGetPrototype):
- runtime/ReflectObject.cpp:
(JSC::reflectObjectConstruct):
- runtime/SetConstructor.cpp:
(JSC::constructSet):
- runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
(JSC::replaceUsingStringSearch):
- runtime/WeakMapConstructor.cpp:
(JSC::constructWeakMap):
- runtime/WeakSetConstructor.cpp:
(JSC::constructWeakSet):
(JSC::Wasm::wasmToJS):
Source/WebCore:
No new tests. The test for overflowing a MarkedArgumentBuffer will run for a
ridiculously long time, which renders it unsuitable for automated tests.
- Modules/plugins/QuickTimePluginReplacement.mm:
(WebCore::QuickTimePluginReplacement::installReplacement):
- bindings/js/JSCustomElementInterface.cpp:
(WebCore::constructCustomElementSynchronously):
(WebCore::JSCustomElementInterface::upgradeElement):
(WebCore::JSCustomElementInterface::invokeCallback):
- bindings/js/JSCustomXPathNSResolver.cpp:
(WebCore::JSCustomXPathNSResolver::lookupNamespaceURI):
- bindings/js/JSDOMBuiltinConstructorBase.cpp:
(WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments):
- bindings/js/JSDOMConvertSequences.h:
(WebCore::JSConverter<IDLSequence<T>>::convert):
(WebCore::JSConverter<IDLFrozenArray<T>>::convert):
- bindings/js/JSDOMConvertWebGL.cpp:
(WebCore::convertToJSValue):
- bindings/js/JSDOMIterator.h:
(WebCore::jsPair):
(WebCore::iteratorForEach):
- bindings/js/JSDOMMapLike.cpp:
(WebCore::forwardFunctionCallToBackingMap):
(WebCore::forwardForEachCallToBackingMap):
- bindings/js/JSDOMPromiseDeferred.cpp:
(WebCore::DeferredPromise::callFunction):
(WebCore::createRejectedPromiseWithTypeError):
- bindings/js/JSErrorHandler.cpp:
(WebCore::JSErrorHandler::handleEvent):
- bindings/js/JSEventListener.cpp:
(WebCore::JSEventListener::handleEvent):
- bindings/js/JSLazyEventListener.cpp:
(WebCore::JSLazyEventListener::initializeJSFunction const):
- bindings/js/JSPluginElementFunctions.cpp:
(WebCore::callPlugin):
- bindings/js/JSReadableStreamPrivateConstructors.cpp:
(WebCore::constructJSReadableStreamReaderGeneric):
- bindings/js/ReadableStream.cpp:
(WebCore::ReadableStream::create):
(WebCore::ReadableStream::pipeTo):
(WebCore::ReadableStream::tee):
(WebCore::ReadableStream::lock):
(WebCore::checkReadableStream):
- bindings/js/ReadableStreamDefaultController.cpp:
(WebCore::ReadableStreamDefaultController::invoke):
- bindings/js/ScheduledAction.cpp:
(WebCore::ScheduledAction::executeFunctionInContext):
- bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneSerializer::recordObject):
(WebCore::CloneSerializer::serialize):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::CloneDeserializer::deserialize):
- bindings/scripts/CodeGeneratorJS.pm:
(GenerateCallbackImplementationContent):
- bindings/scripts/test/JS/JSTestCallbackFunction.cpp:
(WebCore::JSTestCallbackFunction::handleEvent):
- bindings/scripts/test/JS/JSTestCallbackFunctionRethrow.cpp:
(WebCore::JSTestCallbackFunctionRethrow::handleEvent):
- bindings/scripts/test/JS/JSTestCallbackFunctionWithThisObject.cpp:
(WebCore::JSTestCallbackFunctionWithThisObject::handleEvent):
- bindings/scripts/test/JS/JSTestCallbackFunctionWithTypedefs.cpp:
(WebCore::JSTestCallbackFunctionWithTypedefs::handleEvent):
- bindings/scripts/test/JS/JSTestCallbackInterface.cpp:
(WebCore::JSTestCallbackInterface::callbackWithNoParam):
(WebCore::JSTestCallbackInterface::callbackWithArrayParam):
(WebCore::JSTestCallbackInterface::callbackWithSerializedScriptValueParam):
(WebCore::JSTestCallbackInterface::callbackWithStringList):
(WebCore::JSTestCallbackInterface::callbackWithBoolean):
(WebCore::JSTestCallbackInterface::callbackRequiresThisToPass):
(WebCore::JSTestCallbackInterface::callbackWithAReturnValue):
(WebCore::JSTestCallbackInterface::callbackThatRethrowsExceptions):
(WebCore::JSTestCallbackInterface::callbackThatSkipsInvokeCheck):
(WebCore::JSTestCallbackInterface::callbackWithThisObject):
- bindings/scripts/test/JS/JSTestVoidCallbackFunction.cpp:
(WebCore::JSTestVoidCallbackFunction::handleEvent):
- bridge/NP_jsobject.cpp:
- bridge/objc/WebScriptObject.mm:
(-[WebScriptObject callWebScriptMethod:withArguments:]):
- html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::updateCaptionContainer):
(WebCore::HTMLMediaElement::didAddUserAgentShadowRoot):
(WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange):
(WebCore::HTMLMediaElement::getCurrentMediaControlsStatus):
- html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::didAddUserAgentShadowRoot):
(WebCore::Internals::cloneArrayBuffer):
